ESET GUI stops responding and network usage is 100%

[shadowflex 0]

Hi, I have a NAS server connected to my local network and have three mapped network drives in Windows. Sometimes randomly and sometimes when I transfer files from/to these drives, ESET service process in task manager shows 100% network usage and my browser slows to a crawl, can barely open a web page. Any application such as file explorer which uses the drive being scanned stops responding. I suspect if I disable real time scanning for network drives the issue will go away, but that poses a security risk since I often download risky files to this NAS.

I'm linking the .zip OS advanced logs and diagnostic dump I've collected during one such event.: https://mega.nz/file/gkxyiZaQ#AvpUtUH6zrSkY-ccyz7QofDnhD_cbWKLkH5p5J4_qVk

[Marcos 5,085]

Scanning of network drives is disabled by default in the real-time protection setup. Did you enable it manually? Does disabling it make a difference? Did you create some network exclusions?

[shadowflex 0]

7 minutes ago, Marcos said:

Scanning of network drives is disabled by default in the real-time protection setup. Did you enable it manually? Does disabling it make a difference? Did you create some network exclusions?

I believe I may have enabled it a year ago or so. It didn't create any issues until like a week ago when this started to happen. I haven't setup any exclusions related to the NAS. I'll disable the network drive option and wait a day or so to see if I can trigger the behavior again. Do you think it's safe to leave it off in my case?

[shadowflex 0]

10 minutes ago, shadowflex said:

I believe I may have enabled it a year ago or so. It didn't create any issues until like a week ago when this started to happen. I haven't setup any exclusions related to the NAS. I'll disable the network drive option and wait a day or so to see if I can trigger the behavior again. Do you think it's safe to leave it off in my case?

 

24 minutes ago, Marcos said:

Scanning of network drives is disabled by default in the real-time protection setup. Did you enable it manually? Does disabling it make a difference? Did you create some network exclusions?

After disabling network drive setting, I still got the same behavior with high network usage shortly after.

[Marcos 5,085]

Does temporarily disabling HIPS and rebooting the machine make a difference? If not, what about temporarily uninstalling ESET?

[shadowflex 0]

2 hours ago, Marcos said:

Does temporarily disabling HIPS and rebooting the machine make a difference? If not, what about temporarily uninstalling ESET?

It happened again with HIPS disabled, I tried twice to enable and disable it, restarted my computer both times. The high traffic always comes from ekrn.exe. It completely saturates my 1gbit connection to the point where I can barely do anything browser related.

[itman 1,667]

40 minutes ago, shadowflex said:

The high traffic always comes from ekrn.exe. It completely saturates my 1gbit connection to the point where I can barely do anything browser related.

When this activity occurs, open Eset GUI -> Setup -> Network Protection. Does "Recently blocked applications or devices" show a non-zero value?

[shadowflex 0]

Just now, itman said:

When this activity occurs, open Eset GUI -> Setup -> Network Protection. Does "Recently blocked applications or devices" show a non-zero value?

Yeah, I could barely open it though before the application froze, multiple windows services like svhost etc, get blocked up to 700 times. I seem to be able to reproduce it by unplugging and pluggin my network cable, after which this abnormal network activity starts. Some applications on my computer completely freeze when this happens, such as the eset gui.

[itman 1,667]

I believe the problem here is the Eset default firewall rule for "Allow access to shared files and printers." This rule will only allow remote access to IP addresses listed in the firewall Trusted zone. The problem is your existing Eset network connection/s were established using the Win firewall profile which by default is the Public profile. The Eset Public profile does not create any local network IP addresses for the Trusted Zone.

What you will have to do is create an equivalent Est default "Allow access to shared files and printers" rule specifying the IP address for the three mapped network drives in the Remote host setting. Then move the new rule prior to the existing "Allow access to shared files and printers" rule.

Alternatively, you can use the Eset Network Wizard to unblock all existing blocked communication by selecting "Resolve blocked communication" and manually unblocking everything shown as blocked. The Wizard will create necessary Eset firewall rules to allow the network activity. Note that the burden is on you to verify that this activity is legit network communication.

[shadowflex 0]

1 minute ago, itman said:

I believe the problem here is the Eset default firewall rule for "Allow access to shared files and printers." This rule will only allow remote access to IP addresses listed in the firewall Trusted zone. The problem is your existing Eset network connection/s were established using the Win firewall profile which by default is the Public profile. The Eset Public profile does not create any local network IP addresses for the Trusted Zone.

What you will have to do is create an equivalent Est default "Allow access to shared files and printers" rule specifying the IP address for the three mapped network drives in the Remote host setting. Then move the new rule prior to the existing "Allow access to shared files and printers" rule.

Alternatively, you can use the Eset Network Wizard to unblock all existing blocked communication by selecting "Resolve blocked communication" and manually unblocking everything shown as blocked. The Wizard will create necessary Eset firewall rules to allow the network activity. Note that the burden is on you to verify that this activity is legit network communication.

I'm not entirely sure it's because of these blocked communication, because it's happening again right now and it shows zero blocked communication. It probably happened the first time because of me plugging and unplugging the network cable. If it happens randomly it doesn't show any blocked applications.

[Marcos 5,085]

Please configure Windows to generate complete memory dumps as per https://support.eset.com/en/kb380.

After a reboot try to reproduce the issue and manually initiate a crash as per the above instructions so that a complete memory dump is created. After a reboot compress the dump and supply it to us for perusal.

[itman 1,667]

7 hours ago, shadowflex said:

I have a NAS server connected to my local network

Let's go back to this.

Via Eset GUI -> Advanced setup -> Network access protection, Open IP sets per below screen shot;

Do you see the IP address associated with the NAS server listed under Local Connections?

Also, verify that your Eset Network connection is using the Public profile;

 

 

 

[shadowflex 0]

3 hours ago, Marcos said:

Please configure Windows to generate complete memory dumps as per https://support.eset.com/en/kb380.

After a reboot try to reproduce the issue and manually initiate a crash as per the above instructions so that a complete memory dump is created. After a reboot compress the dump and supply it to us for perusal.

I tried to do it twice following the guide, but it doesn't create a dump file, only makes the pagefile large after reboot.

 

1 hour ago, itman said:

Let's go back to this.

Via Eset GUI -> Advanced setup -> Network access protection, Open IP sets per below screen shot;

Do you see the IP address associated with the NAS server listed under Local Connections?

Also, verify that your Eset Network connection is using the Public profile;

 

 

 

It's not listed in local connections. I changed the profile to private today, it used to be automatic. I've set it to public.

[itman 1,667]

I will also add that many NAS servers have their own firewalls and it might be a factor here. This article: https://www.aplens.co/blog/synology-nas-comes-with-stateless-firewall-here-s-how-to-setup deals with setting up the Synology NAS firewall;

Quote

The default firewall settings on a Synology NAS are pretty open. Anyone with an IP address on one of the network ports can connect to it remotely. This includes people inside your local network (usually with ip address 192.168.x.x ), as well as people outside your local network.

Note: 192.168.x.x and 172.16.x.x IP addresses are private addresss and thus only reachable within internal network.

If you want to restrict remote access to specific devices, you must set up port-based firewall rules. These rules apply to every device connected to the NAS. You cannot add exceptions for particular devices.

Synology default configuration is to use port 5000 for HTTP and 5001 for HTTPS. Therefore, remember not to block TCP port 5000 and 5001 with firewall rules.

Edited October 30, 2023 by itman

[shadowflex 0]

I should've mentioned that my NAS is custom, not from a brand. It's just a PC running Ubuntu with Samba configured for the drives, nothing fancy. I've not touched it's firewall or anything else.

[itman 1,667]

29 minutes ago, shadowflex said:

I tried to do it twice following the guide, but it doesn't create a dump file, only makes the pagefile large after reboot.

Did you follow the instructions given in this section, Generate a memory dump manually?

[shadowflex 0]

7 minutes ago, itman said:

Did you follow the instructions given in this section, Generate a memory dump manually?

Yes, it's set to complete memory dump and I modified the registry so I can manually create a crash, but no file is written, only the pagefile gets bigger. I think I read some articles about the pagefile being encrypted which prevents a dump from being written, but I'll have to investigate further.

Edited October 30, 2023 by shadowflex

[itman 1,667]

11 hours ago, shadowflex said:

After disabling network drive setting, I still got the same behavior with high network usage shortly after.

I am starting to believe that due to the way you set up NAS, Eset doesn't recognize those drives as network drives.

You might have to add those drives manually to Eset Real-time scanning Performance exclusions as shown here: https://help.eset.com/eis/16.2/en-US/idh_performance_exclusions.html ; e.g.  N:\*, O:\*, etc..

Edited October 30, 2023 by itman

[itman 1,667]

11 hours ago, Marcos said:

Scanning of network drives is disabled by default in the real-time protection setup.

Actually, its enabled in my ESSP 16.2.15 installation.

[Marcos 5,085]

11 hours ago, shadowflex said:

Yes, it's set to complete memory dump and I modified the registry so I can manually create a crash, but no file is written, only the pagefile gets bigger. I think I read some articles about the pagefile being encrypted which prevents a dump from being written, but I'll have to investigate further.

The instructions for USB and PS/2 keyboards are slightly different, please make sure you configure the registry values properly and finally reboot the machine:

https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard

A crash (BSOD) can be then initiated by holding the rightmost Ctrl key and pressing the Scroll Lock twice.

[itman 1,667]

Looks like my prior assumption was correct.

I found an article on setting up NAS using Ubuntu and Samba here: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-samba-share-for-a-small-organization-on-ubuntu-16-04 .

The bottom line is once the Ubuntu device drive shares are properly set up on a Windows based device, they are viewed by Windows as local drives.

Also Samba uses port 445. Since the shares were accessible on the Windows device, Eset firewall wasn't the problem.

Therefore, the only solution appears to be to exclude the shared drives from Eset real-time scanning as posted previously.

[shadowflex 0]

On 10/30/2023 at 2:20 PM, Marcos said:

If not, what about temporarily uninstalling ESET?

I ran my PC today without ESET just to make sure it wasn't something else and I obviously didn't experience the issue. 

 

6 minutes ago, itman said:

Therefore, the only solution appears to be to exclude the shared drives from Eset real-time scanning as posted previously.

I'll reinstall it and exclude the drives to see if this is the solution.

[itman 1,667]

3 hours ago, shadowflex said:

I ran my PC today without ESET just to make sure it wasn't something else and I obviously didn't experience the issue. 

This revealed and pondering a bit more, what is different between Microsoft Defender and Eset? Well, MD doesn't perform SSL/TLS protocol scanning.

Next is the main problem appears to be network bandwidth saturation when these Samba drive shares are being accessed.

Let's "connect the dots."

Below is an excerpt for the Digital Ocean article in regards to set up of a Samba drive share in Windows;

Quote

3. Click on Choose a custom network location.
4. Click Next
5. Enter the Windows style address of the Samba server and the share name. Windows uses the following form of a Samba URL: \\your_samba_hostname_or_server_ip\share\. In the example image the server name is samba.example.com and the share name is david: \\samba.example.com\david.
6. Click Next.
7. Enter the username and password for the user.
8. Decide whether or not you want Windows to remember the password.
9 Click OK.

File Explorer will now connect to the Samba share. Once the connection has successfully completed, a new location will be created under This PC in File Explorer:

You will now be able to use this folder to manage files and folders in the Samba share as if it were a local folder.

My suspicion here is since the Samba server is being accessed via URL, Eset is performing SSL/TLS scanning on everything being downloaded from the server?

Edited October 31, 2023 by itman

[Marcos 5,085]

Excluding network paths can cause issues if the location is unavailable or inaccessible.

[itman 1,667]

13 hours ago, Marcos said:

Excluding network paths can cause issues if the location is unavailable or inaccessible.

I would try adding the local network IP address for the Ubuntu device to the Web access protection Excluded IPs address per below screen shot and see if that eliminates the problem.

Edited November 1, 2023 by itman